The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.

The union represents over 178,000 education professionals, including teachers, support staff, higher education personnel, nurses, retired educators, and future teachers.

“PSEA experienced a security incident on or about July 6, 2024 that impacted our network environment,” the organization said in breach notification letters sent to 517,487 individuals.

“Through a thorough investigation and extensive review of impacted data which was completed on February 18, 2025, we determined that the data acquired by the unauthorized actor contained some personal information belonging to individuals whose information was contained within certain files within our network.”

PSEA says the stolen information varies by individual and consists of personal, financial, and health data, including driver’s license or state IDs, social security numbers, account PINs, security codes, payment card information, passport information, taxpayer ID numbers, credentials, health insurance and medical information.

The union offers free IDX credit monitoring and identity restoration services to individuals whose Social Security numbers were affected if they enroll by June 17, 2025. It also advised those affected to monitor their financial account statements and credit reports for suspicious activity, obtain a free credit report, and place a fraud alert and/or a security freeze on their credit files.

Breach claimed by Rhysida ransomware

While PSEA didn’t attribute the attack to a specific threat actor, the Rhysida ransomware gang claimed the breach on September 9, 2024.

The cybercrime group demanded a 20 BTC ransom, threatening to leak the stolen data if the ransom demand was not paid. While PSEA didn’t share if it paid to prevent the data leak, the ransomware gang has removed the entry from their dark web leak site.

​The Rhysida ransomware-as-a-service (RaaS) operation surfaced almost two years ago, in May 2023, and gained notoriety after breaching the British Library and the Chilean Army (Ejército de Chile).

The gang hacked Sony subsidiary Insomniac Games in November 2023 and leaked 1,67 TB of documents after the game studio refused to pay a $2 million ransom.

Rhysida ransomware affiliates also claimed a cyberattack on Lurie Children’s Hospital in Chicago in February 2024, a leading U.S. pediatric acute care institution that provides care to over 200,000 children annually, offering to sell the stolen data for 60 BTC (roughly $3,700,000 at the time).

More recently, the Singing River Health System warned that nearly 900,000 people’s data was stolen in an August 2023 ransomware attack, and the City of Columbus, Ohio, notified 500,000 individuals of a data breach after a July 2024 Rhysida breach.

CISA and the FBI warned that Rhysida affiliates are behind many opportunistic attacks targeting organizations across a wide range of industry sectors, while the U.S. Department of Health and Human Services (HHS) has linked Rhysida to attacks targeting healthcare organizations.